search

etyp / meteor-accounts-ldap

A Meteor package for logging in and creating users with LDAP credentials
MIT License
39 stars 23 forks source link

AD login issue: InvalidDistinguishedNameError #8

Closed cope closed 8 years ago

cope commented 9 years ago

After finally getting through the v1db1 authentication error, I got stuck at this one, and I have no idea what to try next :(

I20150826-14:23:02.399(2)? Exception while invoking method 'login' InvalidDistinguishedNameError: mycompany.com\cope
I20150826-14:23:02.399(2)?     at invalidDN (C:\Users\cope\AppData\Local\.meteor\packages\typ_ldapjs\0.7.3\npm\node_modules\ldapjs\lib\dn.js:6:11)
I20150826-14:23:02.400(2)?     at parseRdn (C:\Users\cope\AppData\Local\.meteor\packages\typ_ldapjs\0.7.3\npm\node_modules\ldapjs\lib\dn.js:66:15)
I20150826-14:23:02.400(2)?     at Object.parse (C:\Users\cope\AppData\Local\.meteor\packages\typ_ldapjs\0.7.3\npm\node_modules\ldapjs\lib\dn.js:178:13)
I20150826-14:23:02.400(2)?     at Client.search (C:\Users\cope\AppData\Local\.meteor\packages\typ_ldapjs\0.7.3\npm\node_modules\ldapjs\lib\client\client.js:667:49)
I20150826-14:23:02.400(2)?     at packages/typ:accounts-ldap/ldap_server.js:98:1
I20150826-14:23:02.400(2)?     at _done (C:\Users\cope\AppData\Local\.meteor\packages\typ_ldapjs\0.7.3\npm\node_modules\ldapjs\lib\client\client.js:791:12)
I20150826-14:23:02.401(2)?     at messageCallback (C:\Users\cope\AppData\Local\.meteor\packages\typ_ldapjs\0.7.3\npm\node_modules\ldapjs\lib\client\client.js:869:16)
I20150826-14:23:02.401(2)?     at Parser.onMessage (C:\Users\cope\AppData\Local\.meteor\packages\typ_ldapjs\0.7.3\npm\node_modules\ldapjs\lib\client\client.js:199:12)
I20150826-14:23:02.401(2)?     at Parser.emit (events.js:95:17)
I20150826-14:23:02.401(2)?     at Parser.write (C:\Users\cope\AppData\Local\.meteor\packages\typ_ldapjs\0.7.3\npm\node_modules\ldapjs\lib\messages\parser.js:105:8)
cope commented 9 years ago

Based on this: https://github.com/mcavage/node-ldapjs/commit/408e7c9f9922e0121e870c33cd7c7dfa8eb285e9

I tried adding 

LDAP_DEFAULTS.strictDN = false;

and I tried

Meteor.loginWithLDAP(lUsername, lPwd, {
    strictDN: false,

but neither worked :(

etyp commented 8 years ago

@cope have you tried doing a successful bind using only the ldapjs package + a plain node script?

cope commented 8 years ago

No, sorry... I found another solution and moved on since the ROI on doing further research was just not there :(

aaroncalderon commented 8 years ago

@cope what was the v1db1 error that you where having? and how did you solved it?

I am having the following error myself:

80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1

I am troubleshooting with different dn values. I will try to do a bind with just ldapjs as typ90 suggests.

Regards.

aaroncalderon commented 8 years ago

Update: I did a script and still got the same error, did not matter how I passed the user name parameter (domain\user, user, or user@domain.com).

I tried with node-activedirectory (which uses ldapjs as its backend) and I am able to authenticate successfully (bind). So, I will need to look into node-activedirectory and see if I can use it with Meteor.

Regards.

aaroncalderon commented 8 years ago

@cope I figured out how to bind (authenticate) and search for a user. It turns out the that I had a few things wrong with my setup. I happened to come across the same error InvalidDistinguishedNameError and it turned out to be the format. So a fully qualified DN is:

an attribute value assertion with = as the seperator, like: cn=foo where 'cn' is 'commonName' and 'foo' is the value.

-- ldapjs.org/dn.html

so, in your case you DN may have been 'DC=mycompany,DC=com', I am not sure about the \cope part though.

bind

With regards to the issue I had above It turns out that I was indeed able to bind with the following combinations

search

Then the base was wrong. I was using 'OU=Users,DC=Example,DC=com', when I started researching the base parameters that where being successful with node-activedirectory, I derided to use 'DC=Example,DC=com' instead, and the bind was successful. Once my base issue was addressed I moved on to finding the exact user.

I used the filter. In my case I had to use a different attribute that the one shown on the readme file.

The readme says 

//on the server
LDAP_DEFAULTS.base = 'OU=User,DC=your,DC=company,DC=com';

//on the client
var domain = "yourDomain";

Meteor.loginWithLDAP(user, password,
  { dn: domain + '\\' + user, search: '(sAMAccountName=' + user + ')' } , function(err, result) { ... }
);

I had to use the following: 

//on the client
//
LDAP_DEFAULTS = {}; // this line makes the variable act as a global variable
LDAP_DEFAULTS.base = 'DC=example,DC=com';
LDAP_DEFAULTS.search = '(&(objectClass=person)({{username}}))'

// on my login function

// notice that I am using the form of user@example.com
// and that my LDAP_DEFAULTS variable is made global by defining 
// it on a config.js file on the root of my project with the purpose of shearing
// the variable between client and server

// this part confused me, but I saw how the accounts-ldap module uses the parameter 
// internally  to perform the `client.bind(..)` call on the [ldap_server.js] @ line 101
// (https://github.com/typ90/meteor-accounts-ldap/blob/master/ldap_server.js#L101)
LDAP_DEFAULTS.dn = username;

// I replace the {{username}} placeholder with the input from the username field
LDAP_DEFAULTS.search = LDAP_DEFAULTS.search.replace("{{username}}", "mail="+username); 

Meteor.loginWithLDAP(user, password, LDAP_DEFAULTS, function(err, result) { ... }
);

And it works.

@typ90 I suppose you can close this one.